Vtech Kidizoom Smartwatches are seen on display at a toy store in Hong Kong, China. Credit: Tyrone Siu/Reuters
Toys are dangerous.
No, I'm not talking about toys with sharp edges, toxic materials or small parts that constitute choking hazards.
I'm talking about hacking -- a new threat to the safety of children. Last week, the risk got real.
Of course, smart and connected toys can be fun for kids -- and safe, too. But as we learned last week, the new generation of toys can pose serious risks.
A Hong Kong-based company called VTech got hacked Nov. 14. VTech makes a wide variety of consumer electronics and is one of the world's largest toy makers. Some of their toys encourage the use of VTech's Kid Connect program, which enables kids to chat with parents and download content.
The hacker exposed the breach to the online publication Motherboard and claimed that the point of the hack was to expose VTech's bad security.
The hacker was able to steal names, mailing addresses, email addresses, IP addresses, download histories, the genders and birth dates of the children, pictures of the victims, chats conducted between parents and their children, and much more.
According to reports, the breach affected 6,368,509 children and 4,854,209 parents. Nearly 3 million of those children are in the U.S., and millions more are in Europe.
In this column, I'll offer an optimistic view of the hack, followed by a pessimistic one. I'll tell you the scope of the new risks to children in general and then give you great advice you've never heard before about how to keep kids safe.
The best-case scenario
The best-case scenario is that a single, ethical hacker exposed VTech's bad security. Now that the exposure has embarrassed the company, it will be shamed into a radical overhaul of its security practices and then secure customer data so that it's nearly impossible to compromise in the future.
In fact, VTech has already hired FireEye's Mandiant forensics unit to help make its infrastructure secure. In other words, no harm will come from this entire event.
That's the best-case scenario. Now brace yourself for the worst.
The worst-case scenario
Because VTech's security was so pathetically bad, it's theoretically possible that all the VTech data acquired in this hack had also been stolen previously by unethical hackers.
"All the evidence suggested I wasn't the only person outside of VTech who could have got the data," the hacker told Motherboard.
This data could be sold or posted for free on the dark Web to pedophiles, who could use the data to go "shopping" for victims by browsing the photos. They could learn all about the children for the purpose of socially engineering them or conning them, then they could use the home addresses in the database to find, exploit and even attack them.
Sign up for CIO Asia eNewsletters.